We really should remove cost as a reason for educational institutions to avoid purchasing a hardware firewall. The discount that the major vendors offer (I am familiar with Cisco & SonicWall, but I am sure the others are similar) for these organizations are really, really sweet. In some cases it goes up to a fifty percent discount!
In my mind there is a difference between "reason" and "excuse"... cost may be an excuse for not implementing a proper firewall, but it is never a reason. There may be other reasons, but frankly nothing in this discussion has convinced me of it. I feel that a firewall is a necessary line of defense for anyone that is connected to the Internet, be it a home DSL/Cable Modem user, small business, corporation, government entity, or educational institution.
Of course, this is only my opinion. I trust that everyone will take this in the spirit of open discussion as intended, and not be offended!
Micheal Patterson <micheal at cancercare.net> wrote:
Bob, I can't tell that you're not missing anything. Many of the worlds top
security analysts will tell you that in today's day and age of the Internet,
it's best to have a tiered security structure of some sort. Personally, I
have access lists at my border router that are pretty open but catch the
most obvious issues (Code Red, netbios, ip spoofing, etc), then I have a
firewall directly behind it that blocks everything by default with the
exception of traffic to the various necessary services that have to be made
available for the company to function. The firewall is stateful for outbound
traffic so dynamic rules are created as needed. These dynamic rules time out
at 120 seconds. The deny rule logs all rejected traffic to give me a pretty
good idea what's trying to get in. If necessary, I have the ability to rate
limit outbound traffic at the firewall as well but so far, that's not been
necessary BUT it is available just in case.
As fart as locations not using / wanting a firewall, IMHO it usually boils
down to 1 of 3 things:
1. Money, 2. Politics and 3. Ignorance (not stupidity)
Re 1: People don't want to spend the money to purchase a hardware firewall.
Nor do they want to take the time to implement any system with one built in
(*BSD, Linux, etc) using IPFW, IPFilter, IPChains, etc. Various companies
that I've run into over the years think that a firewall for a DS3 needs to
be one massive machine when it usually doesn't. I've known many locations
that are running P2 systems with 128mb ram that have been just laying around
doing nothing and are now firewall / packet filter systems and they run fine
as long as that's ALL they do.
Re 2: Persons in charge feel that there is no need to restrict traffic from
their network nor do they make any allowances "just in case" they have a
need to do so. It's all a "damn, what do we do now?" thing when reality
hits.
Re 3: People blindly believe that their systems are secure because they're
running latest patches. Not taking into consideration that there may be
other insecure items that just haven't been discovered yet. They trust MS to
completely patch against exploits, etc. They believe that the vendors are
taking action with their best interests in mind. This isn't always true, but
they believe it.
For me, I'd prefer to have as many locks on my network as I can get my hands
on.
--
Micheal Patterson
Network Administration
----- Original Message -----
From: "Bob Savage"
To:
Sent: Monday, October 28, 2002 8:41 AM
Subject: RE: [Dshield] Secure computing (was: Port 135)
> I know this discussion is way over my head, but I don't understand the
> resistance here to using a firewall of some kind as part of the program.
> I must be missing a basic concept. Why would this be looked at
> differently in an educational institution? Isn't it just common sense
> to put a lock on the door even in a school?
>> Bob Savage
_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
---------------------------------
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20021028/78aa39cc/attachment.htm